January 7

New Year, Same Challenges.

If you are reading this blog post you have officially survived 2016. By most accounts this last was a rough year. Cyber attacks have been no exception to this calculation. We saw the announcements of some of the biggest breaches in history, the continued proliferation of ransomware, and even the recent reports that Russia was meddling in our politics through attacks on our IT security.

Let us, as a collective, decide to do better this year. Most of the atrocious breaches and other IT Security related incidents could have been avoided if we could get on top of our security hygiene. Security starts with basics and that is where we need to return to this year.

Back to basics

Before we start to spend boatloads of money on new security solutions, like new software and hardware, look at what is there and how it can be better protected. I perform penetration testing and security assessments almost every working day, almost as often I find terribly simple mistakes that could lead to compromise or sensitive data leakage. Most of these issues are directly related to missing patches or, even worse, using end-of-life (EOL) and deprecated software.

Can you answer these questions confidently? When was the last time you did a vulnerability scan on your network? How many findings were there? How many of those would still be there if another scan was run today? Obviously, those are rhetorical questions and I don’t expect a deluge of emails answering them. However, I am here if anyone has questions for me.

Now, how would you answer those questions? Don’t feel ashamed if you would have much the same results from a new scan, almost everyone is in that same boat. But, why? Because it is too easy to put things off, to wait for a new system to replace the vulnerable one, to ignore fixes due to lack of time. This does not mean this is the right attitude, but it is the pervasive one.

Attitude Adjustment

I believe that one of the single greatest improvements that we could make to security today is to address that security today. With what there is already in place. Before you start blowing the seemingly endless 2017 budget on bigger and better analytics, or a rack-mounted box of silicon and aluminum that promises to save the day through security black magic, consider your own house first. How long ago did you intend to have all of the EOL systems off of the corporate network? Are you still accepting TLS 1.0, or worse yet any version of SSL? These are just a few of the items that I see practically daily.

What I propose is that we make initiatives, and follow through, to get these old systems shored up. So what if the firewalls, database, or system is due to be replaced this year. Attackers are not looking for issues to exploit next month, or even tomorrow, they are looking for cracks in the perimeter now. I am by no means saying that you should not move forward with improvements and upgrades. What I am saying is that those line items should not be used as an excuse to ignore issues residing on the network now.

What Can We Do?

What we once thought of as a wall around our network is now more of a porous mesh that lets almost anything through. We let users bring in their own mobile phones, connect them to corporate email, and trust they won’t allow their device to be compromised. We have all opened up countless ingress and egress points in our once solid walls to allow cloud-based services to be accessed, to allow our users to access the web, to allow external devices (BYOD and contractor provided) to access the internal network. This is the new face of security, but that does not mean it should be ignored. Our attack surfaces are growing exponentially every day and if we ignore issues we know about then new fixes will not make a difference.

Business as usual should continue for one. Then, step back and look at all of those things that got pushed to the back burner last year. How many of these might well be the root cause of an upcoming incident? Reassess and prioritize how the resources available should be allocated. Approach the here and now, plan for the future but don’t rely on it as a fix for problems that are real and present in this moment. As always we are more than willing to help with that assessment.



Copyright © 2014. John R. Nye, All rights reserved.

Posted January 7, 2017 by john.r.nye@gmail.com in category "Bellevue CYBR650

About the Author

Professional penetration tester with nearly a decade of experience in IT security. For more details look me up on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *